Coordinated refresh may be performed on a single instance of ICSF, on a single-system sysplex, or on a multi-system sysplex. The coordinated refresh operation is initiated from a single ICSF instance and then carried out across all other sysplex members sharing the same active KDS (CKDS or PKDS only). This results in the in-storage copy of the KDS being updated for all ICSF instances in the sysplex that share the same active KDS as the initiator. This function is not available for the TKDS.
To perform a coordinated CKDS refresh, all members of the sysplex (including sysplex members that are not configured with the same active CKDS) must be at the ICSF FMID HCR7790 level or later. In addition, no system sharing the CKDS can be a CCF system (such as a z900 system).
To perform a coordinated PKDS refresh, all members of the sysplex (including sysplex members that are not configured with the same active PKDS) must be at the ICSF FMID HCR77A0 level or later. In addition, no system sharing the PKDS can be a CCF system (such as a z900 system).
Before performing a coordinated refresh, you should disable dynamic KDS updates on all sysplex members for the KDS type you are processing. For information on disabling dynamic CKDS updates, See Steps for disallowing dynamic CKDS updates during CKDS administration updates in Managing Cryptographic Keys Using the Key Generator Utility Program. For information on disabling PKA callable services, Steps for enabling and disabling PKA callable services and Dynamic CKDS/PKDS Access in Managing CCA Master Keys.
If you are performing a coordinated refresh to a new KDS, you must ensure that the new target KDS of the refresh contains data set attributes that are consistent with the currently active KDS. This data set must be allocated, must not be empty, and must be enciphered with the current master key or keys. You will optionally be able to use the archive option for renaming the current KDS to an archive name and the new KDS to the active KDS name. The archive data set name must not be allocated or exist on the system prior to performing the coordinated refresh.
To perform a coordinated refresh:
To perform a coordinated refresh of the CKDS, select option 1, CKDS MK MANAGEMENT to perform Cryptographic Key Data Set (CKDS) functions including master key management. The CSFMKM20 — CKDS Management panel appears. Then select option 4, COORDINATED CKDS REFRESH CKDS.
To perform a coordinated refresh of the CKDS, select option 2, PKDS MK MANAGEMENT to perform Public Key Data Set (PKDS) functions including master key management. The CSFMKM30 — PKDS Management panel appears. Then selection option 4 for Coordinated PKDS Refresh.
CSFCRC20 ------------ ICSF – Coordinated KDS Refresh --------------------
COMMAND ===>
To perform a coordinated KDS refresh to a new KDS, enter the KDS names below
and optionally select the rename option. To perform a coordinated KDS refresh
of the active KDS, simply press enter without entering anything on this panel.
KDS Type ===> CKDS
Active KDS ===> 'PLEX.TEST.CKDS'
New KDS ===>
Rename Active to Archived and New to Active (Y/N) ===> N
Archived KDS ===>
Press ENTER to perform a coordinated KDS refresh.
Press END to exit to the previous menu.
The active KDS name is displayed in the Active KDS field for the selected KDS type. You can use this panel to refresh to a new KDS or to refresh the active KDS.